#!/bin/sh

set -u # Treat unset variables as an error.

# Activate debug logging.
if is-bool-val-true "${CONTAINER_DEBUG:-0}"; then
    echo "-Log"
    echo "*:stderr:100"
    echo "-verbose"
    echo "10"
fi

# Make sure the X server listens on Unix only.
echo "-nolisten"
echo "tcp"
echo "-nolisten"
echo "local"
echo "-listen"
echo "unix"

# Window size.
echo "-geometry"
echo "${DISPLAY_WIDTH}x${DISPLAY_HEIGHT}"

# Color depth.
echo "-depth"
echo "24"

# VNC listening port.
if [ "${VNC_LISTENING_PORT:-5900}" -eq -1 ]; then
    # VNC port is disabled.
    echo "-rfbport=-1"
elif is-bool-val-true "${SECURE_CONNECTION:-0}" && [ "${SECURE_CONNECTION_VNC_METHOD:-SSL}" = "SSL" ]; then
    # SSL secure connection enabled: disable TCP listening. Nginx is handling
    # the SSL connection and forward VNC to Xvnc via Unix socket.
    echo "-rfbport=-1"
else
    echo "-rfbport=${VNC_LISTENING_PORT:-5900}"

    # Support for IPv6.
    if ifconfig -a | grep -wq inet6; then
        echo "-UseIPv6=yes"
    else
        echo "-UseIPv6=no"
    fi
fi

# Allow connections from localhost only.
if is-bool-val-true "${VNC_LOCALHOST_ONLY:-0}"; then
    echo "-localhost"
fi

# VNC Unix socket.
echo "-rfbunixpath=/tmp/vnc.sock"
echo "-rfbunixmode=0660"

# VNC security.
#
# None:      No authentication, no encryption.
# VncAuth:   Standard VNC authentication, no encryption.
# Plain:
# TLSNone:   No authentication, TLS encryption.
# TLSVnc:    Standard VNC authentication, TLS encryption
# TLSPlain:
# X509None:  No authentication, TLS encryption with server certificate verification.
# X509Vnc:   Standard VNC authentication, TLS encryption with server certificate verification.
# X509Plain:
#
PASSWORD_FILE=
if [ -f /config/.vncpass ] && [ -n "$(cat /config/.vncpass)" ]; then
    PASSWORD_FILE=/config/.vncpass
elif [ -f /tmp/.vncpass ] && [ -n "$(cat /tmp/.vncpass)" ]; then
    PASSWORD_FILE=/tmp/.vncpass
fi

if [ -n "${PASSWORD_FILE}" ]; then
    # With password.
    if is-bool-val-false "${SECURE_CONNECTION:-0}" || [ "${SECURE_CONNECTION_VNC_METHOD:-SSL}" = "SSL" ]; then
        echo "-SecurityTypes=VncAuth"
    else
        echo "-SecurityTypes=X509Vnc,TLSVnc"
    fi
    if is-bool-val-true "${WEB_AUTHENTICATION:-0}"; then
        echo "-InternalConnectionSecurityTypes=None"
    else
        echo "-InternalConnectionSecurityTypes=VncAuth"
    fi
    echo "-rfbauth=${PASSWORD_FILE}"
else
    # Without password.
    if is-bool-val-false "${SECURE_CONNECTION:-0}" || [ "${SECURE_CONNECTION_VNC_METHOD:-SSL}" = "SSL" ]; then
        echo "-SecurityTypes=None"
    else
        echo "-SecurityTypes=X509None,TLSNone"
    fi
    echo "-InternalConnectionSecurityTypes=None"
fi

if is-bool-val-true "${SECURE_CONNECTION:-0}" && [ "${SECURE_CONNECTION_VNC_METHOD:-SSL}" != "SSL" ]; then
    echo "-X509Key"
    echo "/config/certs/vnc-privkey.pem"
    echo "-X509Cert"
    echo "/config/certs/vnc-fullchain.pem"
fi

if is-bool-val-true "${DISABLE_GLX:-0}"; then
    echo "-extension"
    echo "GLX"
fi

# Desktop (app) name.
echo "-desktop=${APP_NAME}"

# Add custom parameters if defined.
for param in ${XVNC_SERVER_CUSTOM_PARAMS:-}; do
    [ -n "${param}" ] || continue
    echo "${param}"
done

# X11 display.
echo "${DISPLAY}"
